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HYBRID  SYSTEMS  WITH  FINITE  BISIMULATIONS 

GERARDO  LAFFERRIERE,  GEORGE  J.  PAPPAS,  AND  SHANKAR  SASTRY 


Abstract.  The  theory  of  formal  verification  is  one  of  the  main  approaches  to  hybrid  system 
analysis.  A  unified  approach  to  decidability  questions  for  verification  algorithms  is  obtained  by 
the  construction  of  a  bisimulation.  Bisimulations  are  finite  state  quotients  whose  reachability 
properties  are  equivalent  to  those  of  the  original  infinite  state  hybrid  system.  This  approach 
has  had  success  in  the  reachability  analysis  of  timed  automata  and  initialized  rectangular 
automata.  In  this  paper,  we  use  recent  results  from  stratification  theory,  subanalytic  sets,  and 
model  theory  in  order  to  extend  the  state-of-the-art  results  on  the  existence  of  bisimulations 
for  certain  classes  of  hybrid  systems. 


1.  Introduction 


19981230  011 


Hybrid  systems  consist  of  finite  state  machines  interacting  with  difierential  equations,  various 
modeling  formalisms,  analysis,  design  and  control  methodologies,  as  well  as  applications,  can 
be  found  in  [2,  3,  4,  10,  16].  The  theory  of  formal  verification  is  one  of  the  main  approaches 
for  analyzing  properties  of  hybrid  systems.  The  system  to  be  analyzed  is  first  modeled  as  a 
hybrid  automaton,  and  the  desired  property  is  expressed  using  a  formula  from  some  temporal 
logic.  Then,  model  checking  or  deductive  algorithms  are  used  in  order  to  guarantee  that  the 
system  model  indeed  satisfies  the  desired  property. 

Verification  algorithms  are  essentially  reachability  algorithms  which  check  whether  trajecto¬ 
ries  of  the  hybrid  system  can  reach  certain  undesirable  regions  of  the  state  space.  Since  hybrid 
systems  have  infinite  state  spaces,  decidability  of  verification  algorithms  is  very  important. 
Decidability  results  for  analyzing  hybrid  systems  consider  special  finite  state  quotients  of  the 
original  infinite  state  hybrid  automaton  called  bisimulations.  Bisimulations  are  reachability 
preserving  quotient  systems  in  the  sense  that  checking  a  property  on  the  quotient  system  is 
equivalent  to  checking  the  property  on  the  original  system.  Showing  that  an  infinite  state 
hybrid  automaton  has  a  finite  state  bisimulation  is  the  first  step  in  proving  that  verification 
procedures  are  decidable.  This  approach  has  yielded  several  classes  of  decidable  hybrid  sys¬ 
tems  including  timed  automata  [1],  initialized  rectangular  automata  [20],  and  linear  hybrid 
automata  [11].  Some  undecidable  classes  have  also  been  discovered  in  [12].  Computing  finite 
bisimulations  is  clearly  related  to  the  problem  of  obtaining  discrete  abstractions  of  continuous 
systems  which  has  been  considered  by  [21, 17,  5]  as  well  as  [8]. 

Since  the  discrete  dynamics  are  already  finite,  it  is  clear  that  decidability  results  for  hybrid 
systems  depend  crucially  on  the  success  of  obtaining  finite  bisimulations  for  continuous  dy¬ 
namics.  The  cases  considered  so  far  in  the  literature  dealt  with  simple  dynamics:  x  =  1  for 
timed  automata  [1],  x  €  [o,  b]  for  rectangular  automata  [20],  and  Ar  <  6  for  linear  hybrid 
automata  [11].  In  this  paper,  we  extend  the  bisimulation  methodology  to  hybrid  systems 
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Thp  We  describe  an  algorithm  which,  upon  termination,  provides 

desired  fimte  bismilanty  quotient.  In  order  to  investigate  classes  of  systems  for  which  the 
algorithm  tenmnates,  we  combine  mathematical  techniques  from  differential  geometry  and 

bisimulations  for  vmious  classes  of  hybnd  systems  with  planar  continuous  dynamics.  This 
convergence  of  mathematical  logic  and  differential  geometry  also  provides  a  natural  frame- 
ork  for  extending  the  decidability  frontier  for  more  general  classes  of  hybrid  systems.  Such 
extensions  will  require  pushing  the  boundary  of  decidable  theories  in  mathematical  logic. 

Abstracting  a  discrete  graph  from  a  hybrid  system  requires  the  analysis  of  trajectories  of  vector 
fields  and  their  intersection  properties  relative  to  a  given  coUection  of  sets.  (Considering  hybrid 
systems  with  arbitrary  dynamics  and  arbitrary  state  partitions  would  soon  lead  to  pathological 
situations.  Suhanalytic  sets  [6,  13,  23]  provide  a  rich  class  of  sets  which  have  many  desirable 
local  intersection  properties  with  trajectories  of  analytic  vector  fields.  Suhanalytic  sets  can 
also  be  partitioned  into  smooth  embedded  submanifolds  in  a  form  suitable  for  constructing 
a  bisimulation.  Such  partitions  are  caUed  stratifications.  Moreover,  we  show  that  relaxing 
the  class  of  ^ector  fields  or  sets  in  some  naive  ways  leads  to  pathological  situations.  On  the 
other  hand,  the  concept  of  o-mtmmal  theories  in  logic  [26,  27,  28]  identifies  classes  of  sets 
with  good  intersection  properties  suitable  for  the  global  study  of  trajectories  of  vector  fields 
The  combination  of  te^mques  from  both  fields  highlights  the  kind  of  properties  of  sets  that 
play  a  central  role  in  obtaining  discrete  abstractions. 

Section  2  we  review  the  notion  of  bisimulations 
of  transitions  systenas.  In  Section  3  we  define  the  class  of  hybrid  systems  under  study  and 
describe  the  mam  algorithm  of  the  paper  (Algorithm  2).  Section  4  presents  some  basic 
fact^s  about  stratification  theory  and  suhanalytic  sets  and  relates  them  to  the  construction 
of  bisimulations.  In  Section  5  we  present  recent  results  in  model  theory  which  are  used  in 
Section  6  in  order  to  obtain  classes  of  systems  for  which  the  bisimulation  algorithm  terminates 
Section  7  contains  conclusions  and  issues  for  further  research. 


2.  Bisimulations  of  Transition  Systems 

%  adopt  h™  the  ter^ology  of  (11)  slighUy  modified  for  our  pmposea,  A  transition  system 
[W,  2.,  ,  Qo,  Qf)  consists  of  a  (not  necessarily  finite)  set  Q  of  states,  an  alphabet  E  of 

events  a  transition  relation  -4C  Q  x  E  x  Q,  a  set  Qo  C  Q  of  initial  states,  and  a  set  ol  C  Q 
o  ^al  states.  A  transitira  (71,(7,92)  €->  is  denoted  as  71  4  72.  The  transition  system  is 
^ite  if  the  cardin^ity  of  Q  is  finite  and  it  is  infinite  otherwise.  A  region  is  a  subset  PCQ 
Given  (7  e  E  we  define  the  predecessor  Prc<y(P)  of  a  region  P  as  “ 

Pre^iP)  =  {7  €  g  I  3p  €  P  and  7  4  p) 

Given  an  equivalence  relation  -C  Q  x  Q  on  the  state  space  one  can  define  a  quotient  tran¬ 
sition  system  as  follows.  Let  Q/  ^  denote  the  quotient  space.  For  a  region^  we  denote 
y  P/  ~  the  collection  of  dl  equivalence  classes  which  intersect  P.  The  transition  relation 
-4^  on  the  quotient  space  is  defined  as  foUows:  for  Qi,Q2  €  Q/~,  Qi  4..  Q2  iff  there  exist 
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9i  €  Qi  and  92  €  Q2  such  that  91  -4  ft-  The  quotient  transition  system  is  then  T/ 

(Q/ E, Qo/ 

Given  an  equivalence  relation  ~  on  Q,  we  call  a  set  a  ~-block  if  it  is  a  union  of  equivalence 
classes.  The  equivalence  relation  ~  is  a  bisimulation  of  T  iff  Qo»  Qf  Are  '^blocks  and  for  all 
o  €  E  and  all  -^^blocks  P,  the  region  Pre„{P)  is  a  '^block.  In  this  case  the  systems  T  and 
T/^  sxQ  called  bisimilar.  We  will  also  say  that  a  partition  is  a  bisimulation  when  its  induced 
equivalence  relation  is  a  bisimulation.  A  bisimulation  is  called  finite  if  it  has  a  finite  number 
of  equivalence  classes.  Bisimulations  are  very  important  because  bisimilar  transition  systems 
generate  the  same  language  [11].  Therefore,  checking  properties  on  the  bisimilar  transition 
system  is  equivalent  to  checking  properties  of  the  original  transition  system.  This  is  very 
useful  in  reducing  the  complexity  of  various  verification  algorithms  where  Q  is  finite  but  very 
large.  In  addition,  if  T  is  infinite  and  r/~  is  a  finite  bisimulation,  then  verification  algorithms 
for  infinite  systems  are  guaranteed  to  terminate.  Successful  applications  of  this  approach  for 
hybrid  systems  include  timed  automata  [1],  initialized  rectangular  automata  [20],  and  linear 
hybrid  automata  [11].  It  should  be  noted  that  the  notion  of  bisimulation  is  similar  to  the 
notion  of  dynamic  consistency  [7,  8, 18].  If  is  a  bisimulation,  it  can  be  easily  shown  that  if 
p  ~  9  then 

Bl:  p  E  Qf  iS  q  e  Qf,  and  p  E  Qo  iS  g  E  Qo 

B2:  if  p  A  p'  then  there  exists  g'  such  that  9  A  g'  and  p'  q' 

Based  on  the  above  characterization,  given  a  transition  system  T,  the  following  algorithm 
computes  increasingly  finer  partitions  of  the  state  space  Q.  If  the  algorithm  terminates,  then 
the  resulting  quotient  transition  system  is  a  finite  bisimulation.  The  state  space  (?/~  is  called 
a  bisimilarity  quotient. 

Algorithm  1:  (Bisimulation  Algorithm  for  Tiransition  Systems) 

Set:  Q/  ~=  {Qo  n  Qf,  Qo  \  Qf,  Qf  \  Qo,  Q  \  (Qo  U  Qf)} 
while:  3  P,P'  E  Q/-^  and  o  €  E  such  that  0  ^  P  D  Prea{P')  ^  P 
set:  Pi  =  P  n  Pre^(P'),  P2  =  P  \  Pre^P') 
refine:  Q/~=  (Q/~  \{P})  U  {Pi,  P2} 
end  while: 

Notice  that  each  time  the  partition  Q/  is  refined,  the  transitions  are  updated  to  account 
for  the  newly  subdivided  sets.  When  checking  specific  properties,  such  as  reachabUity  to  the 
set  Qf,  one  might  simplify  the  algorithm  by  starting  with  a  coarser  partition,  for  example 
{Qf)  Q\Qf}-  Iu  general  one  should  include  in  the  initial  partition  all  additional  sets  relevant 
to  the  verification  problem  of  interest  (such  as  safe  or  unsafe  regions).  The  larger  the  initial 
class  of  sets  the  more  difficult  it  is  for  the  algorithm  to  terminate. 

3.  Bisimulations  of  Hybrid  Systems 

We  focus  on  transition  systems  generated  by  the  following  class  of  hybrid  systems. 
Definition  3.1.  A  hybrid  system  is  a  tuple  H  —  (X,  Xq,  Xp,  F,  E,  /,  G,  R)  where 
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.  0<X<1 
\l<Y<2 

X>5  — ►  0<X<1  Y=1 

Q2^\ 

//  f  rf.ix-ioY 

j  •  T 

^-0|(X,Y)  \ 

Ly<-10  — ►  X=0  Y=1  \ 

f;.q,(x.Y,  y 

XY^-lO^ 

c2  ^ 

Figure  1.  A  typical  hybrid  automaton 

•  A  =  Xj)  X  Ac  is  the  state  space  with  Xd  =  {51, . .  .,gn}  and  Xc  an  analytic  manifold. 

•  A'^o  Q  ^  is  the  set  of  initial  states 

•  AV  C  A'  is  the  set  of  final  states 

•  F  :  X  — TXc  assigns  to  each  discrete  state  g  €  Ad  an  anal3rtic  vector  field  F{g,  •) 
•EC  A'd  X  Xd  is  the  set  of  discrete  transitions 

•  I :  Xd  — ^  2^^  assigns  to  each  discrete  state  a  set  I{g)  C  Ac  called  the  invariant. 

•  G  :  E  — y  Xd  x  2^^  assigns  to  e  =  {gi,  92)  €  £■  a  guard  of  the  form  {91}  x  C7, 17  C  I{gi). 

•  R  :  E  — y  Xd  x  2^^  assigns  to  e  =  (gi,  g2)  €  E  a  reset  of  the  form  {92}  x  V,  V  C  7(92). 

Trajectories  of  the  hybrid  system  ff  originate  at  any  (g,x)  €  Ao  and  consist  of  either  contin¬ 
uous  evolutions  or  discrete  jumps.  Continuous  trajectories  keep  the  discrete  part  of  the  state 
constant,  and  the  continuous  part  evolves  according  to  the  continuous  flow  F(g,  •)  as  long  as 
the  flow  remains  inside  the  invariant  set  /(g).  If  the  flow  exits  1(g),  then  a  discrete  transition 
is  forced.  If,  during  the  continuous  evolution,  a  state  (g,  x)  €  G(e)  is  reached  for  some  e  €  E, 
then  discrete  transition  e  is  enabled.  The  hybrid  system  may  then  instantaneously  jump  from 
(g,x)  to  any  (g\x')  €  R(e)  and  the  system  then  evolves  according  to  the  flow  F(g',  •).  Notice 
that  even  though  the  continuous  evolution  is  deterministic,  the  discrete  evolution  may  be 
nondeterministic.  The  discrete  transitions  allowed  in  our  model  are  of  the  type  allowed  in  ini¬ 
tialized  rectangular  automata  [20].  We  assume  that  our  hybrid  system  model  is  non-blocking, 
that  is  from  every  state  either  a  continuous  evolution  or  a  discrete  transition  is  possible. 

Example  3.2.  A  typical  hybrid  system  is  shown  in  Figure  1.  The  state  space  is  {Ql,  Q2}  xR^. 
The  initial  states  are  of  the  form  {(?!}  x  {(x,y)  €  R^  |  0  <  a:  <  1, 1  <  y  <  2}.  The  discrete 
dynamics  consists  of  two  transitions  ei  =  (Ql,  Q2)  and  C2  =  (Q2,  Ql).  Within  discrete  state 
Ql,  the  continuous  variables  x  and  y  evolve  according  to  a  diflerential  equation  as  long  as 
(x,y)  €  /(Ql)  =  {(a:,y)  €  R^  j  a:  <  5}.  Once  x  >  5,  discrete  transition  ci  is  forced  and  x,y 
are  nondeterministically  reset  to  values  in  fixed  sets.  The  system  then  flows  according  to  the 
flow  associated  with  Q2.  The  evolution  from  that  point  on  is  similar.  We  would  like  to  find 
out  whether  the  system  will  reach  the  set  of  final  states  {Q2}  x  {(x,y)  €  R^  j  x  <  -5}. 

Every  hybrid  system  H  =  (A,  Ao,  A>,  F,  E,  /,  G,  R)  generates  a  transition  system  T  =  (Q,  E, 

,  Qo^  Qf)  by  setting  Q  =  A,  Qo  =  Aq,  Qf  ~  Aj?,  E  =  jEu^t}-,  and  — >=  (UegD  where 

Discrete  Transitions:  (g,x)  4  (g’,x*)  for  c  €  E  iff  (g,x)  €  G(e)  and  (g',x')  €  R(e) 
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Continuous  lYansitions:  (91,  Xi)  -4  (92,  iff  91  =  92  and  there  exists  (J  >  0  and  a  curve 
X  :  [0, 5]  — y  M  with  x(0)  =  Xi,  x{6)  =  X2  and  for  all  t  €  [0,5]  it  satisfies  x'  =  F{qi,x{t)) 
and  x(t)  €  I(gi)- 


The  continuous  r  transitions  are  time-abstract  transitions,  in  the  sense  that  the  time  it  takes  to 
reach  one  state  from  another  is  ignored.  Having  defined  the  continuous  and  discrete  transitions 
A  and  A  allows  us  to  formally  define  Prer{P)  and  PredP)  foie€  E  and  any  region  PCX 
using  (2.1).  Furthermore,  the  structure  of  the  discrete  transitions  allowed  in  our  hybrid  system 
model  result  in 


(3.1) 


PrCe(P)  = 


0  ifPn/?(c)  =  0 

G(e)  iiPDRie):^^ 


for  all  discrete  transitions  c  €  P  and  regions  P.  Therefore,  if  the  sets  R{e)  and  G(e)  are 
blocks  of  any  partition  of  the  state  space,  then  no  partition  refinement  is  necessary  in  the 
bisimulation  algorithm  due  to  any  discrete  transitions  e  €  P.  This  fact,  in  a  sense,  decouples 
the  continuous  and  discrete  components  of  the  hybrid  system.  In  turn,  this  implies  that 
the  initial  partition  in  the  bisimulation  algorithm  should  contain  the  invariants,  guards  and 
reset  sets,  in  addition  to  the  initial  and  final  sets.  This  allows  us  to  carry  out  the  algorithm 
independently  for  each  discrete  state. 


More  precisely,  define  for  any  region  PCX  and  q  C  Xd  the  set  Pg  =  {xeXc:  (9,x)  €  P}. 
For  each  discrete  state  q£  Xd  consider  the  finite  collection  of  sets 


(3.2)  A,  =  {/(,).  G(e)„  R(e)„  (Jfr),} 

which  describes  the  initial  and  final  states,  guards,  invariants  and  resets  associated  with 
discrete  state  q.  Let  5,  be  the  coarsest  partition  of  Xc  compatible  with  the  collection  Ag  (by 
compatible  we  mean  that  each  set  in  ^  is  a  union  of  sets  in  P,).  The  (finite)  partition  Sg  can 
be  easily  computed  by  successively  finding  the  intersections  between  each  of  the  sets  in  Ag 
and  their  complements.  These  collections  Sg  will  be  the  starting  partitions  of  the  bisimulation 
algorithm. 


Algorithm  2:  (Bisimulation  Algorithm  for  Hybrid  Systems) 
Set:  A7~  =  \JgSg 
for:  q  €  Xd 

while:  3  P,P'  €  5,  such  that  0  #  Pn  Prer(P')  ¥^P 
Set;  Pi  =  P  n  PreriP');  P2  =  P  \  Prer{P') 
refine:  5,  =  (S,\{J’})U{P„f>2} 
end  while: 
end  for: 


A  few'  comments  are  in  order  here.  The  key  problem  is  to  investigate  how  the  flow  of  F{q,  •) 
interacts  w'ith  the  sets  Sg  for  a  single  discrete  state  q.  This  requires  that  the  trajectories  of  the 
vector  field  F{q,  •)  have  “nice”  intersection  properties  with  such  sets.  Since  the  goal  is  to  obtain 
finite  partitions,  it  will  become  important  that  we  restrict  the  study  to  classes  of  sets  with  good 
“finiteness”  properties,  for  example,  sets  with  finitely  many  connected  components.  In  the 
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subsequent  sections  we  identify  classes  of  sets  and  vector  fields  which  exhibit  such  properties 
and  for  which  Algorithm  2  terminates. 

One  can  also  view  the  partitions  in  the  algorithm  as  a  way  of  discretizing  the  system  trajecto¬ 
ries.  This  suggests  studying  the  continuous  transitions  by  looking  only  at  the  points  at  whidi 
the  trajectories  move  from  one  set  in  5,  to  an  “adjacent”  one.  This  is  in  general  not  possible 
because  sets  could  have  rather  pathological  boundaries  (see  also  Example  4.8).  We  will  see  in 
the  next  section  that  subanalytic  sets  are  free  from  such  pathologies  and  that  in  fact  one  can 
formalize  the  idea  of  trajectory  discretization  associated  to  the  partition  in  that  case. 

We  conclude  this  section  with  an  example  that  shows  that,  even  in  apparently  simple  situa¬ 
tions,  Algorithm  2  does  not  terminate. 

Example  3.3.  Let  F  be  the  linear  vector  field  x  on  R^.  Assume  the  partition 

of  consists  of  the  following  three  sets  (see  Figure  2):  Pi  —  {(a;,0)  :  0  <  a:  <  4),  P2  = 
{(x,  0)  :  — 4  <  x  <  0},  P3  =  R^  \  (Pj  U  P2).  The  integral  curv^  of  F  are  spirals  moving  away 


Figure  2.  Algorithm  2  does  not  terminate 

from  the  origin.  The  first  iteration  of  the  algorithm  partitions  P2  into  P4  =  P2  n  Prer(Pi)  = 
{(x,  0)  :  xj  <  X  <  0}  and  P2  \  Prer(Pi).  Here  Xi  <  0  is  the  x-coordinate  of  the  first 
intersection  point  of  the  spiral  through  (4,0)  with  P2.  The  second  iteration  subdivides  Pi 
into  P5  =  Pi  n  Prer{P4)  =  {{x,0)  :  0  <  x  <  X2}  and  Pj  \  Prer(P4)  where  X2  >  0  is  the 
x-coordinate  of  the  next  point  of  intersection  of  the  spiral  with  Pi.  This  process  continues 
indefinitely  since  the  spiral  intersects  Pi  in  infinitely  many  points,  and  therefore  the  algorithm 
does  not  terminate. 


4.  Subanalytic  Sets  and  Stratifications 

In  this  section  we  describe  some  fundamental  properties  of  subanalytic  sets  (see  [6, 13,  23]  for 
more  details).  A  differentiable  manifold  is  real  analytic  (C^)  if  the  transition  maps  between 
local  coordinate  charts  are  analytic  functions  on  their  domains  (which  are  open  subsets  of  R”). 
An  embedded  submanifold  5  of  a  manifold  A/  is  a  topological  subspace  of  M  together  with  a 
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differentiable  structure  such  that  the  inclusion  from  S  into  Af  is  a  smooth  immersion  (i.e.  has 
full  rank  at  every  point).  A  vector  field  F  on  the  real  analytic  manifold  M  is  analytic  if  its 
coordinates  in  any  local  chart  are  analytic.  If  F  is  an  analytic  vector  field  then  any  integral 
curve  of  F  is  analytic. 

Let  M  and  N  be  real  analytic  manifolds  and  let  N)  denote  the  set  of  analytic  functions 

from  M  into  N.  If  /  €  N)  we  say  /  is  of  class  Given  an  anal}rtic  manifold  U,  we 

denote  by  R))  the  Boolean  algebra  generated  by  the  sets  of  the  form  {x  :  f(x)  =  0} 

or  {x  :  f{x)  >  0},  where  /  €  R). 

Definition  4.1.  Let  M  be  a  real  analytic  manifold.  A  subset  A  of  M  is  semianalytic  in  M  if 
for  every  pe  M,  there  is  an  open  neighborhood  U  of  p  in  M  such  that  Ur\A€  R)). 

\{  AC  M  is  semianalytic  in  M  we  write  A  6  SMAN(M). 

Definition  4.2.  Let  M  be  a  real  analytic  manifold.  Define  SBANrc(M)  and  SBAN(M)  by 

1.  A  €  SB-A-Nrc(A/)  if  and  only  if  there  is  (AT,  /,  A*)  such  that  TV  is  a  real  analytic  manifold, 
/  e  C‘^{N,  A/),  A*  €  SMAN(TV),  A*  is  relatively  compact  and  A  =  /(A*); 

2.  A  €  SBAN(A/)  if  and  only  if  A  is  the  union  of  a  locally  finite  collection  of  members  of 
SBANrc(Tl/).  (A  collection  of  sets  C  is  locally  finite  if  any  compact  set  intersect  only 
finitely  many  sets  in  C.) 

We  say  that  A  is  subanalytic  in  A/  if  A  €  SBAN(A/).  It  is  easy  to  see  that  A  €  SBANrc(A/) 
if  and  only  if  A  is  subanalytic  in  M  and  relatively  compact.  The  following  properties  of 
subanalytic  sets  are  easily  derived  from  the  definitions. 

1.  SB.4X(Tl/)  is  closed  under  locally  finite  unions  and  intersections. 

2.  If  A  €  SBAX(A/)  and  /:  M  — >  N  is  of  class  and  proper  on  A,  the  closure  of  A, 
then  /(A)  e  SBAN(Ar).  (A  function  /  is  proper  if  f~^{K)  is  compact  whenever  K  is.) 

3.  If  A  6  SBAN(TV)  and  /:  A/  TV  is  of  class  then  /-^A)  €  SBAN(A/). 

The  following  two  properties  require  more  subtle  proofs,  but  they  give  the  first  indication  that 
this  will  be  a  suitable  class  of  sets  for  our  studies. 

4.  If  A  €  SBAN(A/)  then  A/  \  A  €  SBAN(A/). 

5.  A  subanalytic  set  has  a  locally  finite  number  of  connected  components,  each  of  which  is 
subanalytic. 

Example  4.3.  Points  are  subanalytic,  and  so  is  any  locally  finite  union  of  points,  for  example 
Z”  as  subset  of  R".  The  empty  set  and  M  are  both  in  SBAN(A/).  Let  a,  6  €  R,  a  <  6,  then 
[a,  6],  [a,  6),  (a,  6]  and  (a,  6)  are  subanalytic  in  R  The  open  ball  B(p,  r)  centered  at  p  of  radius 
r  in  R”  is  in  SBAN(R”). 

Definition  4.4.  Let  A/  be  a  real  analytic  manifold.  An  analytic  (C^)  stratification  of  A/  is 
a  partition  S  oi  M  with  the  following  properties: 

1.  each  S  €S  is  a,  connected,  real  anal}rtic,  embedded  submanifold  of  A/, 

2.  S  is  locally  finite,  _  _ 

3.  given  two  sets  5, F  €  5,  F ^  5,  such  that  5 n F ^  0  then  S  c7 and  dim5  <  dimF. 
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The  sets  in  a  stratification  are  called  strata. 

The  central  result  on  stratifications  for  our  analysis  is  the  following.  For  a  proof  see  [22]. 

Theorem  4.5.  Let  A  be  a  locally  finite  family  of  nonempty  suhanalytic  subsets  of  a  real 
analytic  manifold  M.  For  each  A  E  A,  let  F{A)  be  a  finite  set  of  real  analytic  vector  fields  on 
M.  Then  there  exists  a  subanalytic  stratification  S  of  M,  compatible  with  A,  and  having  the 
property  that,  whenever  S  ^  S,  S  C  A,  A  E  A,  X  €  F(A),  then  either  (i)  F  is  everywhere 
tangent  to  S  or  (ii)  F  is  nowhere  tangent  to  S.  (S  is  compatible  with  A  is  every  set  in  A  is 
a  union  of  sets  in  S.) 

Theorem  4.5  is  illustrated  by  the  following  example. 

Example  4.6.  Let  F  be  the  following  analytic  vector  field  on 

i  =  +  y* 

y  =  0 

which  has  an  isolated  equilibrium  at  the  origin  and  points  in  the  positive  x-direction  otherwise. 
Consider  the  following  two  subanalytic  sets 

51  =  {(x,  y)  €  I  y  >  0  and  (x  -  1)^  +  y^  =  i} 

52  =  {(x,  y)  €  R^  I  y  =  0  and  0  <  x  <  2} 

shown  in  Figure  3.  A  subanalytic  stratification  of  R^  which  is  compatible  with  the  sets  Si,  S2 
and  the  vector  field  F  is  also  shown  in  Figure  3.  It  consists  of 

•  0-dimensional  strata 

-  Pi  =  (0,0),  P2  =  (2,0),  and  P3  =  (1,1) 

•  1-dimensional  strata 

~  =  {(^>  y)  €  R^  I  y  =  0  and  0  <  x  <  2} 

-  (^2  =  {(x,  y)  €  R^  I  y  >  0  and  l<x<2  and  (x  —  1)^ -f- y^  =  1} 

-  C3  =  {(x, y)  €  R^  I  y  >  0  and  0<x<l  and  (x— l)^  +  y2  =  l} 

•  2-dimensional  strata 

-  Di  =  {(x,  y)  €  R^  I  y  >  0  and  (x  -  1)^  -I-  y^  <  1} 

-  I>2  =  R"\{Pi,P2,P3,Ci,C2,C3,A}. . . 

Notice  that  the  vector  field  is  tangent  to  Pi  since  it  is  an  equilibrium  as  well  as  to  Ci,  Di  and 
£>2.  The  vector  field  is  transverse  to  all  the  other  strata.  Moreover,  Si  =  Pi  UP2UP3UC2UC3 
and  52  =  Pi  U  P2  U  Ci. 

In  view  of  the  above  properties  we  will  restrict  our  study  to  hybrid  systems  for  which  the 
relevant  sets  are  all  relatively  compact  and  subanalytic. 

Assumption  1  :  For  each  discrete  state  q  the  collection  Ag  consists  of  relatively  compact 
subanalytic  sets.  In  particular,  we  assume  there  exists  a  compact  set  K  such  that  if  A  €  A, 
then  AC  K. 
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Figure  3.  Subanalytic  stratification  example 


The  partition  Sg  which  serves  as  the  initialization  step  of  Algorithm  2  can  now  be  assumed 
to  be  a  subanalytic  stratification  compatible  with  Ag  and  the  vector  field  F(g,  •)  (as  given  by 
Theorem  4.5). 

The  following  proposition  illustrates  some  of  the  good  intersection  properties  that  analytic 
curves  have  with  subanalytic  sets.  The  “finiteness”  property  indicated  in  the  proposition 
makes  it  possible  to  define  transitions  between  adjacent  strata  in  a  natural  way. 

Proposition  4.7.  Let  I  be  an  open  interval,  M  a  real  analytic  manifold  and  j:  I  M  a  real 
analytic  function.  Let  S  be  a  C‘^  stratification  of  M  by  subanalytic  sets  If  [a,  6]  C  /  then  there 
exists  a  finite  partition  {xi, . . .  ,  Xn}  of  [a,  6]  xuith  the  property  that  for  each  t  =  1, . . .  ,n  —  1 
there  exists  a  stratum  Si  €  S  such  that  7((xf,x,+i))  C  Si. 

Proof.  The  family  I  —  {7“^ (5)  D  [0,6]:  5  €  5}  is  a  finite  partition  of  [a, 6]  by  subanalytic 
sets.  Each  such  set  consists  of  a  finite  number  of  points  and  open  intervals.  Using  all  such 
points  and  the  endpoints  of  such  intervals  gives  the  desired  partition.  □ 


The  following  example  shows  the  type  of  pathological  situations  that  can  be  encountered  if 
the  assumption  on  subanalyticity  is  even  slightly  relaxed. 

Example  4.8.  Consider  the  stratification  of  by  the  following  five  sets: 

5i  =  {(0,0)} 

|(x,y):x>0  A  i/  =  xsini| 

^(x,y):  X  <  0  A 


S2 

Sz 

Sa 

S5 


•  U 

y  =  xsm—  > 
xj 

|(x,y):x9t0  A  y>xsini 
|(x,y):  X  0  A  y  <  ^sin^ 
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Figure  4.  Infinite  crossings  on  a  compact  interval 

Notice  that  5i,  S2  and  Sz  form  the  graph  of  the  function  f{x)  =  a:sini  (^(0)  =  0),  while 
54  and  Sz  denote  the  region  above  and  the  below  the  graph,  respectively.  Each  set  is  a  C'^, 
embedded  submanifold  of  and  they  clearly  satisfy  the  condition  on  the  dimension  of  the 
strata  in  the  closure  of  other  strata.  Finally,  consider  the  constant  vector  field  F  =  ^.  Then 
the  integral  curve  7  of  F  through  (0, 0)  is  the  x-axis  (parameterized  by  x  itself).  Therefore, 
the  image  by  7  of  any  interval  containing  0  intersects  both  54  and  Sz  an  infinite  number  of 
times.  This  is  reminiscent  of  the  undesirable  zeno  property  which  allows  an  infinite  number 
of  switches  in  finite  time. 

Since  the  algorithm  considers  one  discrete  state  at  a  time,  we  will  simplify  the  notation  by 
assuming  that  the  discrete  state  q  is  fixed  and  drop  it  as  a  subscript.  In  particular  we  will 
consider  a  vector  field  F  and  a  stratification  S  of  Xc  by  subanalytic  sets  as  provided  by 
Theorem  4.5.  By  Xc/  ~  we  will  mean  the  partition  of  Xc  induced  by  S.  We  will  denote  by 
7x  the  integral  curve  of  F  w'hich  passes  through  x  at  time  0,  i.e.  with  7*(0)  =  x. 

We  now  proceed  to  formalize  the  notion  of  a  discretization  of  the  continuous  transitions  relative 
to  a  given  partition  S.  We  do  this  mainly  it  simplifies  the  arguments  in  the  proof  of  the  main 
theorem  (Theorem  6.1).  In  addition  it  supports  the  intuitive  picture  we  have  that  a  trajectory 
can  be  decomposed  as  a  concatenation  of  pieces  in  each  of  the  sets  in  S. 

Definition  4.9  (Transition  relative  to  S:  version  1).  Given  x,y  G  Xc  we  say  x  y  iff  there 
is  t  >  0  such  that  7x(t)  =  y  and  there  exists  S  &  S  such  that  7x(s)  €  5  for  0  <  s  <  t  and  at 
least  one  of  x,  y  is  in  5. 

To  clarify  this  concept  and  to  facilitate  further  discussions  and  proofs  we  introduce  additional 
definitions. 

Definition  4.10.  Given  two  subsets  Si,  S2  of  Xa  and  a  real  analytic  curve  y  :  I  Xc 
where  I  is  an  open  interval,  we  say  that  7  leaves  Si  through  S2  (or  enters  S2  from  Si)  ii one 
of  the  following  exiting  conditions  is  satisfied: 

El:  there  exist  a,b  €  I,  a  <  b,  sudi  that  y(t)  €  for  all  t  €  (a,  b)  and  y(b)  G  S2 
E2:  there  exist  a,b  E  J,  a  <  b,  such  that  7(0)  G  Si  and  y(t)  G  ^2  for  all  <  G  (o,  6). 
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When  X  €  5i  we  say  that  7*  leaves  Si  trough  S2  if  either  El  or  E2  holds  with  a  =  0. 

The  following  proposition  is  a  simple  application  of  Proposition  4.7  and  shows  that  Defini¬ 
tion  4.10  covers  all  possible  “exiting”  situations  for  strata  of  S. 

Proposition  4.11.  Let  5i  €  5  and  y  teas  above.  If  there  exists  to>  <1  €  /  sudi  that  7(^0)  € 
and  7(ti)  ^  Si  then  there  exists  a  stratum  S2  Si)  such  that  either  "El  or  E2  holds. 

It  is  clear  firom  Defeition  4.10  that  in  case  El,  S2nSi  ^  0.  By  the  properties  of  stratifications, 
we  conclude  S2  C  Si  and  dim52  <  dim5i.  Therefore,  t^  flow  exits  the  stratum  Si  though  a 
stratum  of  lower  dimension.  Similarly  in  case  E2,  Si  C  S2  and  dim^i  <  dimiS2  and  the  flow 
enters  S2  from  a  stratum  of  lower  dimension.  The  following  proposition  further  clarifies  the 
possible  exit  situations. 

Definition  4.12.  We  call  a  stratum  S  €  S  tangential  if  the  vector  field  F  is  tangent  to  S  at 
every  point  of  S.  We  call  a  stratum  transversal  otherwise. 

Proposition  4.13.  Let  Si,  S2  be  strata  in  S  and  7  on  integral  curve  of  F  which  leaves  Si 
through  82-  Then  one  (and  only  one)  of  the  following  holds: 

1.  condition  El  holds,  Si  is  a  tangential  stratum  and  1S2  is  o  transversal  stratum. 

2.  condition  E2  holds,  Si  is  a  transversal  stratum  and  S2  is  a  tangential  stratum. 

We  can  now  give  the  alternative  definition  of  relative  transitions. 

Definition  4.14  (Transition  relative  to  S:  version  2).  For  each  x  €  Xc  let  S{x)  denote  the 

c 

unique  stratum  in  S  which  contains  x.  Given  x,y  £  Xc  we  say  x  y  iff  7*  leaves  S{x) 
through  S{y). 

It  is  clear  from  Proposition  4.7  that  x  y  iff  there  exist  xi,...  ,Xn  such  that  x  Xi 
s  s  s 

. . .  —¥  Xji  y.  We  will  denote  the  Pre  operator  associated  to  A  by  Pres.  The  above  remark 

also  implies  that  we  can  substitute  Pres  for  Prer  in  Algorithm  2  in  the  sense  that  if  the 
algorithm  terminates  using  Pres  then  it  also  terminates  when  using  Prcj. 

As  the  stratification  Theorem  4.5  shows,  issues  of  transversality  of  trajectories  can  be  analyzed 
within  the  context  of  subanalsrtic  sets  and  analytic  vector  fields.  However,  the  study  of 
continuous  transitions  requires  that  we  investigate  the  global  behavior  of  trajectories.  In 
general,  trajectories  of  analytic  vector  fields  (and  much  less  their  full  flows)  are  not  subanalytic. 
Identifying  vector  fields  whose  flows  belong  to  a  suitable  class  is  the  main  obstacle  in  the  study 
of  bisimulations  of  hybrid  systems.  Recent  developments  in  logic  model  theory  provide  some 
answers  as  well  as  suggest  the  proper  context  in  which  to  carry  on  further  studies. 

5.  Model  Theory 

Model  theory  studies  structures  through  properties  of  their  definable  sets  (see  (14,  25]  for  gen¬ 
eral  background).  The  basic  structures  of  interest  for  this  paper  are  that  of  the  real  numbers 
as  a  complete  ordered  field,  symbolized  by  (R,  -I-,  — ,  x,  <,  0, 1),  and  its  extensions.  Every  such 


12 


G.  LAFFERRIERE,  G.  PAPPAS,  AND  S.  SASTRY 


Structure  L  has  an  associated  language  C  of  formulas.  The  (first  order)  formulas  over  L  are 
the  well-formed  logical  expressions  obtained  by  using  logical  connectives,  quantifiers  3  V,  real 
numbers  as  constants,  the  operations  of  additions  and  multiplication,  and  the  relations  <  and 
=  (quantification  is  allowed  over  variables).  All  formulas  will  be  interpreted  over  the  real 
numbers.  A  definable  set  in  the  language  C  (or  of  the  structure  X)  is  a  subset  of  R"  (for  some 
n)  of  the  form  {(oj, . . , ,  o„)  €  R"  :  $(ai, . . . ,  a„)},  where  $(xi, . . .  ,x„)  is  a  formula  in  C  and 
xi, . . . ,  Xn  are  free  (i.e.  not  quantified)  variables  in  A  function  /  is  definable  if  its  graph  is 
a  definable  set. 

While  many  of  the  concepts  here  apply  to  more  general  structures,  in  all  that  follows  we 
consider  only  structures  over  the  real  numbers. 

Definition  5.1.  The  theory  of  X  is  o-minimal  (“order  minimal”)  if  every  definable  subset  of 
R  is  a  finite  union  of  points  and  intervals  (possibly  unbounded). 

Tarski  [24]  was  interested  in  the  extension  of  the  theory  of  the  real  numbers  by  the  exponential 
function,  (R,  -f,  -  ,  x,  <,  0,  l,exp)  (i.e.,  there  is  an  additional  symbol  in  the  language  for  the 
exponential  function).  We  denote  this  structure  by  Rexp.  While  such  theory  does  not  admit 
elimination  of  quantifiers,  it  was  shovm  in  [27]  that  sudi  theory  is  model  complete,  which  in 
turns  implies  that  it  is  o-minimal.  Another  important  extension  is  obtained  as  follows.  Assume 
/  is  a  real-analytic  function  in  a  neighborhood  of  the  cube  [—1, 1]”  C  R”.  Let  /:  R”  — »■  R  be 
the  function  defined  by 

1^0  otherwise 

We  call  such  functions  restricted  analytic  functions.  The  structure  Rexp, an  = 
(R,  +,  X,  <,  0, 1, exp,  {/})  is  then  an  extension  of  Rexp  where  there  is  a  symbol  for  each 
restricted  analytic  function.  One  reason  this  structure  is  relevant  for  this  paper  is  that  all 
relatively  compact  subanalytic  sets  are  definable  in  Rexp,an  •  Moreover,  if  F  is  a  linear  vector 
field  in  R"  with  real  eigenvalues,  then  the  trajectories  of  F  are  definable  in  Rexp,an-  In  [26],  it 
was  shown  that  Rexp  an  is  also  o-minimal.  Finally,  there  are  a  few  consequences  of  o-minimality 
that  are  crucial  for  our  results.  We  list  them  below  under  one  proposition.  The  proofs  are 
contained  in  the  various  references  mentioned  above. 

Proposition  5.2.  Assume  L  is  an  o-minimal  structure.  Then 

1.  Any  definable  set  has  a  finite  number  of  connected  components,  each  of  which  is  a  defin¬ 
able  set. 

2.  If  A  is  definable,  then  so  is  its  (topological)  closure.  Moreover,  dimFr(A)  <  dim  A, 
where  Fr{A)  —  A\  A  is  the  frontier  of  A  and  the  dimension  of  a  set  B  is  the 
maximum  integer  d  for  which  there  is  an  embedded  C*  manifold  o/R"  contained  in  B. 

3.  Given  definable  sets  Aj, . . . ,  A*  in  R"  (and  for  any  integer  p),  there  is  a  finite  strat¬ 
ification  o/R"  compatible  with  {Ai, . . . ,  A*}.  In  fact,  for  the  structure  Rc^.ob  the  strata 
are  definable  (real)  analytic  manifolds. 

We  are  now  ready  to  apply  these  results  to  prove  that  Algorithm  2  terminates  for  certain 
classes  of  planar  systems. 
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6.  Finiteness  Results 

In  this  section  we  use  the  model  theoretic  tools  of  Section  5  in  order  to  obtain  classes  of 
systems  for  which  the  Bisimulation  Algorithm  of  Section  3  terminates. 

Recall  that  given  the  family  of  sets  ^  as  in  Assumption  1,  and  the  vector  field  F  we  first 
obtain  a  stratification  S  compatible  with  A  as  given  by  Theorem  4.5.  We  will  also  assume 
that  S  is  compatible  with  a  compact  subanalytic  set  K  which  contains  all  sets  in  A.  We  define 
<5*:  =  {S  €  5  :  5  n  AT  0}  (which  is  therefore  finite). 

Theorem  6.1.  Let  Xc  =  R^,  F  be  the  linear  vector  field  Ax  and  assume  that  the  eigenvalues 
of  A  are  real.  Then  the  bisimulation  algorithm  for  hybrid  systems  (Algorithm  2),  initialized 
with  Sk,  terminates. 

Proof.  We  will  consider  the  case  when  the  origin  is  the  only  equilibrium  of  F.  (The  other 
cases  require  minor  modifications.)  We  assume  without  loss  of  generality  that  {(0,0)}  €  Sk- 

As  indicated  in  Section  3  it  sufiKces  to  study  only  the  evolution  of  the  continuous  variables 
and  use  Pres  in  Algorithm  2.  To  simplify  notation  we  will  simply  refer  to  it  as  Pre.  In 
order  to  show  that  the  bisimulation  algorithm  terminates  we  will  construct  a  finite  refinement 
of  Sk  which  is  “invariant”  under  the  Pre  operation  and  which  is  a  refinement  of  XcJ  ^  at 
each  step. 

For  each  stratum  S  £Sk  with  (0, 0)  €  5  we  consider  the  set 

5oo  =  {x€5:  Vt  >0  7*(t)  65} 

As  mentioned  earlier,  since  the  eigenvalues  of  A  are  real,  the  flow  of  F,  ^(x,  t)  =  7*(t)  =  e^'^x 
is  definable  in  Rexp.an  (the  entries  in  involve  polynomials  and  real  exponential  functions). 
Therefore,  the  set  Soo  is  definable.  For  each  stratum  T  of  dimension  one  with  T  CS,T  ^  S, 
we  consider  the  set 

T,  =  {a;  €  r :  7*  leaves  T  through  5oo} 

The  set  T,  is  also  definable  in  Rexp.an  and  therefore  can  be  written  as  a  finite,  disjoint  union 
of  definable  sets  each  of  which  is  either  a  point  or  homeomorphic  to  an  open  interval.  We 
may  assume,  by  refining  the  original  Sk  if  necessary  that  the  finitely  many  points  in  the 
decomposition  of  T*  are  already  strata  of  Sk- 

For  each  x  €  let  F*  denote  the  trajectory  of  F  passing  through  x,  that  is  . 

r*  =  {7*(<) :  t  €  R}. 

For  each  stratum  S  €  S  and  x  €  5,  let  ra,(5)  denote  the  connected  component  of  F*  n  5 
which  contains  x.  It  is  clear,  from  the  definition  of  Soo,  that  if  x  6  5oo  then  Fx(5)  C  Soo- 
From  this  it  follows  that  if  x  €  T  and  7*  leaves  T  through  5  then  7,  either  leaves  T  though 
Soc  or  leaves  T  through  5  \  Soo- 

Let  {pi}, ...  ,{p/}  be  all  the  0-dimensional  strata  of  5Ar.  Notice  that  for  each  t,i,  if  Fp.nFp^.  ^ 
0,  then  Fp.  =  Fp^.  We  will  eliminate  redundancies  and  assume  that  the  Fp,.  are  pairtdse 
disjoint.  For  each  set  S  e  Sk  and  eadi  Fp,,  the  sets  5  n  Fp^  and  5  \  UjFpj  are  definable  in 
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Rexp,an  (Intuitively,  these  sets  are  partitions  of  5  “in  the  direction  of  the  flow  of  F”).  By 
o-minimality,  we  get  that  each  such  set  has  a  finite  number  of  connected  components.  Let 
B  denote  the  (finite)  collection  of  all  such  connected  components.  The  collection  B  is  then  a 
partition  of  K  compatible  with  S  (every  set  in  5  is  a  union  of  sets  in  B). 

Claim:  At  each  step  of  the  bisimulation  algorithm,  B  is  compatible  with  M/'^. 

The  claim  shows  that  B  is  finer  than  all  partitions  obtained  at  each  step.  Since  B  is  finite, 
this  proves  that  the  algorithm  terminates. 

To  prove  the  claim  we  first  show  that  if  B  for  t  =  1, . . . ,  n  then 
(6.1)  Pre{UBi)  =  UPre{Bi) 

We  will  call  a  set  B  £  B  tangential  if  B  is  contained  in  a  tangential  stratum  of  S  (i.e.  JB  is  a 
connected  component  of  either  5nr,  or  5\urp.  with  S  tangential).  The  set  B  will  be  called 
transversal  otherwise.  Notice  that  if  B  is  tangential  and  x  €  B  then  ra:(S'(x))  C  B. 

Let  X  £  Pre{Bi)  for  some  i  =  1, . . . ,  n  and  x  ^  Bi.  Suppose  7*(t)  £  S(x)  for  0  <  t  <  (J  and 
7*(<J)  €  Bi  (i.e.  exit  condition  El).  In  particular,  S(x)  is  a  tangential  stratum.  K7*(t)  ^  UB, 
for  t  <  5,  then  x  £  Pre(uBi).  If  7x(<)  €  UBj  for  some  <  <  <5,  then  for  some  j,  Bj  is  tangential, 
so  rx(5(a:))  C  Bj  and  x  £  Pre(UBj).  If,  instead,  7x(t)  €  B^  for  0  <  t  <  (exit  condition  E2), 
then  clearly  x  £  Pre(UBj). 

Conversely,  let  x  G  Pre(uBi).  If  7x(<)  €  5(x)  for  0  <  <  <  <5,  7x(5)  €  UBi,  let  I’o  be  such  that 
7x((5)  €  Bip.  Then  x  £  Pre(Bio)  C  UPre(B,).  If,  instead,  7x(t)  6  UBj  for  0  <  t  <  (J,  then 
there  is  a  >  0  and  a  Bj^  which  contains  7x(t)  for  0  <  t  <  (here  we  used  o-minimality 
again  to  conclude  that  Tx  intersects  each  Bi  in  a  finite  disjoint  union  of  points  and  arcs). 
Therefore,  x  £  Pre{BiQ).  This  conclude  the  proof  of  (6.1). 

By  construction,  B  is  compatible  with  Sk.  At  each  step  of  the  bisimulation  algorithm  we 
need  to  show  that  if  B  =  U^^jBf  and  B'  =  with  B<,  Bj  £  B  then  B  n  Pre{B')  is  again 

a  finite  union  of  sets  in  B.  Based  on  (6.1)  it  will  sufiSce  to  show'  that  for  B,B'  €  B,  either 
B  n  Pre(B')  =  0  or  B  D  Pre(B')  =  B. 

We  consider  several  cases.  The  set  B  is  of  one  of  the  two  forms:  (a)  a  connected  component 
of  5  n  Tp.,  or  (b)  a  connected  component  of  5  \  UTp^. 

If  S  is  0-dimensional  there  is  nothing  to  show  because  B  contains  a  single  point. 

If  S  is  1-dimensional  and  B  is  of  type  (a),  then  either  S  is  transversal  and  B  consists  of  a 
single  point  or  S  is  tangential  and  so  B  =  rx(5)  for  any  x  €  B.  The  first  case  is  again  clear. 
In  the  second  case,  if  there  is  x  G  B  n  Pre{B')  then  there  exists  (J  >  0  such  that  7x(t)  £  S 
fox  0  <  t  <  S  and  7x(<J)  £  B'.  But  then  for  all  y  €  Tx{S),  %  leaves  S  through  B'.  So 
B  =  rx(5)  C  Pre(B0. 

If  5  is  1-dimensional  and  B  is  of  type  (b)  then  we  again  consider  separately  the  cases  when 
S  is  tangential  and  when  S  is  transversal.  In  the  first  case  we  proceed  as  before.  Assume 
now,  that  S  is  transversal.  Notice  that  if  x  €  B  n  Pre{B')  then  T*  intersects  both  B  and 
B'.  Therefore  B'  is  also  a  connected  component  of  S’  \  (for  some  S').  By  transversality, 
7x  leaves  S  intro  S'  under  exit  condition  E2  and  so  5  C  Fronts')  i='S'\  S')  and  S'  is 
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2-dimensional.  By  continuity  of  the  flow  of  F,  there  is  an  open  neighborhood  N  of  x  such 
that  for  y  e  iV  n  B,  7y  leaves  5  through  S'.  Moreover,  since  there  are  finitely  many  we 
may  assume  (by  taMng  N  smaller)  that  yy  leaves  S  through  B'.  We  have  then  showed  that 
the  set  B  =  {i  €  B  :  7*  leaves  S  through  B'}  is  open  in  B.  Suppose  E  ^  B.  Then  there  is 
y  €  B  in  the  frontier  of  E.  We  can  find  a  neighborhood  W  of  y  such  that  W  n  =  0  for 
all  i.  Since  S'  is  open  in  R^,  and  S  is  transversal,  we  can  find  a  neighborhood  Wq  C  W  of  y 
and  e  >  0  such  that  for  z  €  W©  n  S  and  0  <  t  <  e  we  have  %(t)  €  W  n  S'.  But  then  every 
such  2  belongs  to  E.  This  contradicts  the  fact  that  y  is  a  frontier  point.  Therefore,  E  is  also 
closed  in  B  and  so  it  must  equal  B  (since  B  is  connected).  We  conclude  in  this  case  that 
B  =  BnPrc(B'). 

There  is  only  one  case  remaining:  S  of  dimension  2  (and  hence  tangential).  If  B  is  of  type  (a) 
then  rx(S)  =  B  and  we  are  done  as  before. 

.Assume  then  that  B  is  a  connected  component  of  S  \  UFpj,  B'  a  connected  component  of 
S'  \  UPpp  S'  is  transversal,  and  dim  S'  =  1.  (The  case  with  S'  0-dimensional  is  excluded  since 
in  that  case  S'  D  Fp^  0  for  some  i.) 

Let  2  €  B  n  Pre(B')  and  assume  there  is  y  €  B  \  Pre(B').  We  want  to  show  that  this  leads 
to  a  contradiction.  Let  a  :  [0, 1]  — f  B  be  a  curve  connecting  x  to  y.  Let  <©  be  the  smallest 
t  €  [0, 1]  such  that  7Q(t)(s)  ^  B'  for  some  s  >  0.  If  7a(to)(®)  €  S  for  all  s  >  0  then  a(<o)  €  Soo- 
By  the  choice  of  to  v^’e  in  fact  have  oc{to)  €  TpQ  for  some  po  (see  the  initial  subdivision  caused 
by  Soc)-  But  this  contradicts  the  fact  that  B  is  of  type  (b).  Assume  then  that  7o(to)(s)  ^  S 
for  some  s  >  0.  For  each  t  €  [0,to]  let  s{t)  be  the  smallest  s  such  that  7a(t)(s)  S.  Fo£_each 
t  €  [0,  to]  set  p{t)  =  7Q(t)(s(t)).  There  are  two  possibilities:  either  p(to)  6  S'  or  p(to)  e  S'  \  5. 

In  the  first  case  choose  a  local  chart  (N,  <p)  centered  at  p(to)  so  that  in  ^coordinates  we  have 
A-  n  S'  =  n  B'  =  {(2, 0)}  and  AT  n  S  =  {(2,y) :  y  >  0}  (therefore  F  points  into  the  lower 
half  plane  at  everj^  point  of  A^  n  B'.  By  continuity  of  the  flow  and  transversality,  we  still  have 
that  7q(/)  crosses  A^  D  B'  from  the  upper  to  the  lower  half  plane  for  to  <t  <  to +  €.  But  this 
contradicts  the  choice  of  to- 

In  the  second  case,  we  have  p{to)  €  F,o  for  some  go-  But  this  contradicts  the  fact  that  B  is  of 
tj-pe  (b). 

.4.11  this  implies  that  every  y  in  B  must  also  be  in  Pre(B').  That  is,  B  =  B  D  Pre(B').  This 
concludes  the  proofs  of  the  clsdm  and  the  theorem.  □ 


As  the  proof  above  suggests  the  termination  of  the  algorithm  depends  on  the  fact  that  the 
integral  curves  of  the  vector  field  intersects  relatively  compact  subanalytic  sets  in  at  most 
finitely  many  points.  This  allows  us  to  get  the  following  generalization. 

Theorem  6.2.  If  F  is  vn  analytic  vector  field  in  R^  which  admits  an  analytic  family  of  first 
integrals,  then  the  bisimulation  algorithm  terminates.  (Here,  by  an  analytic  family  of  first 
integrals  we  mean  a  non-constant  (real)  analytic  function  /:  R^  — ►  R  such  that  for  each 
trajectory  y  of  F  the  function  f(y{t))  is  constant.) 
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Proof.  Notice  that  each  level  curve  of  /  is  an  analytic  set  and  therefore  its  intersection  with 
any  relatively  compact  definable  set  (in  Rexp,ai,)  is  definable  in  The  proof  then  follows 

the  lines  of  the  previous  one  but  replacing  the  sets  Tp.,  with  the  corresponding  level  set  of  / 
(level  sets  of  /  are  at  most  1-dimensional  since  /  is  not  constant  on  any  open  set).  Q 

Corollary  6.3.  If  F  is  a  linear  vector  field  in  with  purely  imaginary  eigenvalues  and  Sk 
is  as  in  the  theorem,  then  the  bisimulation  algorithm  terminates. 

Proof  Unless  ^  =  0,  in  which  case  the  result  is  trivial,  there  exists  an  (invertible)  matrix  P 
such  that  ||Px|p  is  constant  along  trajectories  of  F.  □ 

Corollary  6.4.  If  F  is  an  analytic  Hamiltonian  vector  field  in  R^  and  Sk  is  as  above,  then 
the  bisimulation  algorithm  terminates. 

Proof  The  Hamiltonian  is  constant  along  the  trajectories.  □ 

Remark  6.5.  As  is  clear  from  the  proofs  above,  the  key  is  that  all  the  objects  involved  (the 
vector  field  F,  the  initial  family  of  sets,  the  flow  of  F)  be  definable  in  some  ^minimal  extension 
of  the  field  of  real  numbers.  We  presented  above  just  two  specific  instances  of  such  a  situation 
which  can  be  easily  characterized.  A  more  recent  o-minimal  extension  of  the  reals,  by  so  called 
Pfaffian  functions,  was  found  in  [28]. 

The  issue  of  decidability  is  a  much  harder  and  still  open  problem.  It  is  not  even  known  if 
the  theory  of  Rexp  is  decidable,  although  in  [15]  it  was  shown  that  it  would  be  a  consequence 
of  Schanuel’s  conjecture  in  number  theory.  The  results  we  obtained  in  this  paper  suggest 
how  to 'find  some  restricted  classes  of  vector  fields  for  which  the  algorithm  is  constructive. 
Indeed,  if  all  the  relevant  sets  are  semialgebraic  (for  example  if  F  is  a  Hamiltonian  vector 
field  on  the  plane  with  a  polynomial  Hamiltonian  and  the  initial  conditions,  guards,  etc.,  are 
semialgebraic),  then  they  are  definable  in  (R,  -H,  -,  x,  <,  0, 1)  for  which  decision  methods  are 
known  (see  [9]  for  a  related  result). 


7.  Conclusions 

In  this  paper,  we  presented  an  algorithm  for  on  obtaining  finite  bisimulations  of  hybrid  sys¬ 
tems.  Termination  was  guaranteed  for  classes  of  vector  fields  with  planar  continuous  dynamics. 
This  was  achieved  by  combining  the  geometric  framework  of  subanalytic  sets  with  model  the¬ 
oretic  concepts  from  mathematical  logic.  The  mathematical  tools  used  in  this  paper  provide 
the  natural  platform  for  the  study  of  reachability  properties  of  hybrid  systems. 

Issues  for  further  study  include  the  extension  of  the  main  result  to  R".  The  tools  used  in 
the  proof  of  the  main  theorem  apply  to  higher  dimensions.  The  key  construction  in  the 
two  ^mensional  case  depended  on  finitely  many  trajectories.  The  higher  dimpnsiftnal  version 
requires  a  detailed  analysis  of  infinite  coDections  of  trajectories,  organized  perhaps  inductively 
according  to  the  dimension  of  the  strata  involved. 

Bisimulations  of  hybrid  systems  with  more  general  discrete  transitions  can  also  be  considered 
in  the  frame^^ork  of  subanalytic  stratifications  and  o-minimal  structures.  However, the  reset 
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maps  must  be  in  some  sei^e  compatible  with  the  flows  for  the  procedure  to  terminate.  In 
addition,  for  certain  restricted  classes  of  vector  fields  the  algorithm  can  be  made  constructive 
(for  example,  for  vector  fields  on  the  plane  with  a  polynomial  Hamiltonian  and  all  relevant 
sets  semiaJgebraic).  FHirthermore,  if  the  bisimulation  algorithm  does  not  terminate  (or  is  not 
computable),  it  may  be  useful  to  consider  system  over-approximations  (19],  for  which  the 
algorithm  would  terminate  (or  is  computable). 
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